Merge pull request #11767 from amenonsen/vault-new-password-file
add option to ansible-vault to read new password from file for rekey
This commit is contained in:
commit
16e8a7dd67
4 changed files with 31 additions and 6 deletions
|
@ -2,12 +2,12 @@
|
||||||
.\" Title: ansible-vault
|
.\" Title: ansible-vault
|
||||||
.\" Author: [see the "AUTHOR" section]
|
.\" Author: [see the "AUTHOR" section]
|
||||||
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
||||||
.\" Date: 12/09/2014
|
.\" Date: 07/28/2015
|
||||||
.\" Manual: System administration commands
|
.\" Manual: System administration commands
|
||||||
.\" Source: Ansible 1.9
|
.\" Source: Ansible 2.0.0
|
||||||
.\" Language: English
|
.\" Language: English
|
||||||
.\"
|
.\"
|
||||||
.TH "ANSIBLE\-VAULT" "1" "12/09/2014" "Ansible 1\&.9" "System administration commands"
|
.TH "ANSIBLE\-VAULT" "1" "07/28/2015" "Ansible 2\&.0\&.0" "System administration commands"
|
||||||
.\" -----------------------------------------------------------------
|
.\" -----------------------------------------------------------------
|
||||||
.\" * Define some portability stuff
|
.\" * Define some portability stuff
|
||||||
.\" -----------------------------------------------------------------
|
.\" -----------------------------------------------------------------
|
||||||
|
@ -43,7 +43,12 @@ The following options are available to all sub\-commands:
|
||||||
.PP
|
.PP
|
||||||
\fB\-\-vault\-password\-file=\fR\fIFILE\fR
|
\fB\-\-vault\-password\-file=\fR\fIFILE\fR
|
||||||
.RS 4
|
.RS 4
|
||||||
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&.
|
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
\fB\-\-new\-vault\-password\-file=\fR\fIFILE\fR
|
||||||
|
.RS 4
|
||||||
|
A file containing the new vault password to be used when rekeying a file\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
|
||||||
.RE
|
.RE
|
||||||
.PP
|
.PP
|
||||||
\fB\-h\fR, \fB\-\-help\fR
|
\fB\-h\fR, \fB\-\-help\fR
|
||||||
|
|
|
@ -36,7 +36,15 @@ The following options are available to all sub-commands:
|
||||||
*--vault-password-file=*'FILE'::
|
*--vault-password-file=*'FILE'::
|
||||||
|
|
||||||
A file containing the vault password to be used during the encryption/decryption
|
A file containing the vault password to be used during the encryption/decryption
|
||||||
steps. Be sure to keep this file secured if it is used.
|
steps. Be sure to keep this file secured if it is used. If the file is executable,
|
||||||
|
it will be run and its standard output will be used as the password.
|
||||||
|
|
||||||
|
*--new-vault-password-file=*'FILE'::
|
||||||
|
|
||||||
|
A file containing the new vault password to be used when rekeying a
|
||||||
|
file. Be sure to keep this file secured if it is used. If the file
|
||||||
|
is executable, it will be run and its standard output will be used as
|
||||||
|
the password.
|
||||||
|
|
||||||
*-h*, *--help*::
|
*-h*, *--help*::
|
||||||
|
|
||||||
|
|
|
@ -258,6 +258,10 @@ class CLI(object):
|
||||||
parser.add_option('--vault-password-file', default=C.DEFAULT_VAULT_PASSWORD_FILE,
|
parser.add_option('--vault-password-file', default=C.DEFAULT_VAULT_PASSWORD_FILE,
|
||||||
dest='vault_password_file', help="vault password file", action="callback",
|
dest='vault_password_file', help="vault password file", action="callback",
|
||||||
callback=CLI.expand_tilde, type=str)
|
callback=CLI.expand_tilde, type=str)
|
||||||
|
parser.add_option('--new-vault-password-file',
|
||||||
|
dest='new_vault_password_file', help="new vault password file for rekey", action="callback",
|
||||||
|
callback=CLI.expand_tilde, type=str)
|
||||||
|
|
||||||
|
|
||||||
if subset_opts:
|
if subset_opts:
|
||||||
parser.add_option('-t', '--tags', dest='tags', default='all',
|
parser.add_option('-t', '--tags', dest='tags', default='all',
|
||||||
|
|
|
@ -77,6 +77,10 @@ class VaultCLI(CLI):
|
||||||
else:
|
else:
|
||||||
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)
|
self.vault_pass, _= self.ask_vault_passwords(ask_vault_pass=True, ask_new_vault_pass=False, confirm_new=False)
|
||||||
|
|
||||||
|
if self.options.new_vault_password_file:
|
||||||
|
# for rekey only
|
||||||
|
self.new_vault_pass = CLI.read_vault_password_file(self.options.new_vault_password_file)
|
||||||
|
|
||||||
if not self.vault_pass:
|
if not self.vault_pass:
|
||||||
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
|
raise AnsibleOptionsError("A password is required to use Ansible's Vault")
|
||||||
|
|
||||||
|
@ -125,7 +129,11 @@ class VaultCLI(CLI):
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
if not (os.path.isfile(f)):
|
if not (os.path.isfile(f)):
|
||||||
raise AnsibleError(f + " does not exist")
|
raise AnsibleError(f + " does not exist")
|
||||||
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
|
||||||
|
if self.new_vault_pass:
|
||||||
|
new_password = self.new_vault_pass
|
||||||
|
else:
|
||||||
|
__, new_password = self.ask_vault_passwords(ask_vault_pass=False, ask_new_vault_pass=True, confirm_new=True)
|
||||||
|
|
||||||
for f in self.args:
|
for f in self.args:
|
||||||
this_editor = VaultEditor(None, self.vault_pass, f)
|
this_editor = VaultEditor(None, self.vault_pass, f)
|
||||||
|
|
Loading…
Reference in a new issue